Skip to main content

Severity by source

Vendor (microsoft) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.3 MEDIUM

DHCP replies are practically link-local so AV:A, and winning the race against the real DHCP server raises AC:H; unauthenticated with the published confidentiality-only impact.

3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 18:36 vuln.today
CVE Published
Jul 14, 2026 - 17:05 cve.org
HIGH 7.5

DescriptionCVE.org

Integer underflow (wrap or wraparound) in Windows DHCP Client allows an unauthorized attacker to elevate privileges over a network.

AnalysisAI

Information disclosure (and vendor-labeled privilege elevation) in the Windows DHCP Client affects Windows 10 (1607/1809), Windows Server 2012 through 2025, and their Server Core installations via an integer underflow (CWE-191) reachable over the network. A remote attacker positioned to answer DHCP traffic can craft malformed responses that wrap a length/counter calculation, with a CVSS 3.1 base of 7.5 (confidentiality impact only per the published vector). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain position on victim link segment
Delivery
Send crafted DHCP OFFER/ACK reply
Exploit
Trigger integer underflow in option parser
Execution
Force out-of-bounds read in DHCP Client
Impact
Disclose memory / corrupt client state

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to deliver a crafted DHCP server response to the target's DHCP Client, which in practice means being on the same broadcast/link segment or otherwise able to answer DHCP (a rogue or spoofed DHCP server, or winning a race against the legitimate one); the CVSS vector is PR:N/UI:N so no authentication or user interaction is needed once such a reply reaches the client. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are moderately strong but internally inconsistent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the same LAN segment (for example via a compromised host or rogue access point) stands up a malicious DHCP server or spoofs OFFER/ACK replies containing a crafted option field that underflows the client's length arithmetic. When the victim's DHCP Client parses the reply it performs an out-of-bounds read, leaking memory contents (and, if the vendor's privilege-elevation framing holds, corrupting client state). …
Remediation Patch available per vendor advisory - apply the Microsoft security update referenced at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-49181 for each affected OS/build; the input does not specify an exact fixed build number, so pull the correct KB per platform from that advisory rather than assuming one. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all affected systems (Windows 10 1607/1809 and Windows Server 2012-2025 across Server and Server Core editions). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-56155 HIGH POC
7.8 Jul 14

Local privilege escalation in Microsoft Active Directory Federation Services (AD FS) lets an already-authenticated low-p

CVE-2026-49798 CRITICAL POC
9.3 Jul 14

Local privilege escalation in the Microsoft Windows Kernel allows an unauthorized attacker to gain elevated (SYSTEM-leve

CVE-2026-50489 HIGH POC
8.8 Jul 14

Local privilege escalation in the Windows Win32K kernel subsystem (CWE-122 heap-based buffer overflow) lets an already-a

CVE-2026-54128 HIGH POC
8.4 Jul 14

Local code execution in the Windows DHCP Client service stems from a use-after-free (CWE-416) memory-corruption flaw aff

CVE-2026-54992 HIGH POC
8.4 Jul 14

Local code execution in the Microsoft Message Queuing (MSMQ) Queue Manager affects a broad range of Windows client and s

CVE-2026-50518 CRITICAL
9.8 Jul 14

Remote code execution in the Microsoft Windows DHCP Server role allows an unauthenticated network attacker to run arbitr

CVE-2026-50667 HIGH POC
7.8 Jul 14

Elevation of privilege in the Windows NTFS file-system driver lets an already-authenticated local user escalate to SYSTE

CVE-2026-50655 HIGH POC
7.8 Jul 14

Local code execution in the Windows Media component of supported Windows 10, Windows 11, and Windows Server (2016 throug

CVE-2026-57092 CRITICAL
9.9 Jul 14

Elevation of privilege in the Windows Hyper-V virtual network switch (VMSwitch) lets an authenticated attacker operating

CVE-2026-56188 CRITICAL
9.8 Jul 14

Remote code execution in the Windows Server Network driver stems from a race condition (CWE-362) that lets an unauthoriz

CVE-2026-56190 CRITICAL
9.8 Jul 14

Remote code execution in Microsoft Windows Remote Desktop (RDP) allows an unauthorized network attacker to run arbitrary

CVE-2026-50447 CRITICAL
9.8 Jul 14

Remote code execution in Microsoft Windows Message Queuing (MSMQ) allows an unauthenticated attacker to run arbitrary co

Share

CVE-2026-49181 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy